Back

Malware Promotion via Fake Forums

I recently accidentally discovered a new technique for bad actors to promote malware.

Discovering

Whilst doing some random googling and looking at some of the last pages to try and discover some new techniques, I noticed a recurring pattern in some sites which came up. Then, I noticed this was a method for promoting malware with some interesting ways. This is a writeup on this method.

Forums

In case you don’t know, forums are a popular form of websites for discussing topics, usually having sites dedicated to certain things like computing, companies / projects (like Mozilla, etc). Most of these are legitmate, having actual people talking and most people not being malicious; however these sites are completely fake.

Templating

The forums I found were essentially HTML templates, swapping some text with what is included in a query parameter (like ?q=example+text) PHP.

Site 1

Here is Site 1 with the original URL /forum/?q=songs+for+every+assemblysongs+assembly: Site 1 Screenshot

Site 2

Here is Site 2 with the original URL /541: Site 2 Screenshot

Site 3

Here is Site 3 with the original URL /103.html: Site 3 Screenshot

Differences

As you can see, the sites are near identical with small differences:

  • Slightly different text in posts
  • Different original post name and content, via query parameter or filename
  • Different usernames

Other than username, the users are identical:

  • Profile picture
  • Role
  • Join date
  • Post count

Promotion

How they promote in these fake forums is luring users into a false sense of security by having the fake forum members say the links are legitimate. These can be seen in the posts below the message with the link: (text in [] is added by me for clarification)

User 1: But it requires CC [credit card information].

User 2: Yes, just fill it [CC] in, its trusted site.

User 1: Thanks, CC just to make sure you aren’t bot.

User 3: Thanks guys, looked for this long time too.

User 4: Oh man, that’s great, thank, solid website, entered CC and just downloaded what I needed.

The link goes to various different sites which eventually asks the user to create an account, then scamming them via requiring credit card information. One interesting thing is a what looks to be a referral system.

Profit

The ways these sites seem to profit is via a referral / partner system. This can be seen in the sites you go to when clicking one of the links in one of the forums (domains replaced with examples):

  1. Fake forum: https://fake-forum.example/forum/?q=honk.camp
  2. Redirect PHP script: https://fake-forum.example/forum/go.php?q=Honk.camp
  3. Randomised partner site with passed on info (template name, referral from site): https://intermediate-partner.example/ebook.html?pid=6&offer_id=26&ref_id=0dfc8e7b257b53ca7cbd9f471jlYLyLK_2a5500e6_3f0e4cf5&sub1=2a5500e6&keyword=Honk.camp&sub8=Honk.camp&m=Honk.camp
  4. Link from that site: https://redirect.example/?a_aid=864kjuyuio54&page=m-2-pantherBK&clickid=60f9d22ff1ec720001343564&pubid=2a5500e6
  5. Redirected from above: https://signup-partner.example/registration?theme=m-2-pantherBKF-NFX&v_id=554f3cc4-ecdb-f5cd-3dc7-42c5e7086128&capo=aHVidHVybi5pbmZv&a_aid=864kjuyuio54&page=m-2-pantherBK&clickid=60f9d22ff1ec720001343564&pubid=2a5500e6